freshlybakedca.ke
Git fork
1Git v2.30.8 Release Notes
2=========================
3
4This release addresses the security issues CVE-2023-22490 and
5CVE-2023-23946.
6
7
8Fixes since v2.30.7
9-------------------
10
11 * CVE-2023-22490:
12
13 Using a specially-crafted repository, Git can be tricked into using
14 its local clone optimization even when using a non-local transport.
15 Though Git will abort local clones whose source $GIT_DIR/objects
16 directory contains symbolic links (c.f., CVE-2022-39253), the objects
17 directory itself may still be a symbolic link.
18
19 These two may be combined to include arbitrary files based on known
20 paths on the victim's filesystem within the malicious repository's
21 working copy, allowing for data exfiltration in a similar manner as
22 CVE-2022-39253.
23
24 * CVE-2023-23946:
25
26 By feeding a crafted input to "git apply", a path outside the
27 working tree can be overwritten as the user who is running "git
28 apply".
29
30 * A mismatched type in `attr.c::read_attr_from_index()` which could
31 cause Git to errantly reject attributes on Windows and 32-bit Linux
32 has been corrected.
33
34Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
35developed by Taylor Blau, with additional help from others on the
36Git security mailing list.
37
38Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
39fix was developed by Patrick Steinhardt.
40
41
42Johannes Schindelin (1):
43 attr: adjust a mismatched data type
44
45Patrick Steinhardt (1):
46 apply: fix writing behind newly created symbolic links
47
48Taylor Blau (3):
49 t5619: demonstrate clone_local() with ambiguous transport
50 clone: delay picking a transport until after get_repo_path()
51 dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS